[Repo Assist] refactor(cmd): add getDefault helpers for all DIFC flag env vars

[github-actions]

🤖 This PR was created by Repo Assist, an automated AI assistant.

Summary

Several DIFC flags in internal/cmd/flags_difc.go used os.Getenv() directly in the init() function instead of following the getDefault*() helper pattern documented in flags.go. Additionally, the helper table in flags.go referenced getDefaultDIFCSinkServerIDs() which did not exist — a stale documentation error.

Changes

internal/cmd/flags_difc.go

• Adds getDefaultDIFCSinkServerIDs() (was referenced in flags.go table but missing)
• Adds getDefaultGuardPolicyJSON()
• Adds getDefaultAllowOnlyOwner()
• Adds getDefaultAllowOnlyRepo()
• Adds getDefaultAllowOnlyMinIntegrity()
• Updates init() to use all helper functions consistently

internal/cmd/flags.go

• Expands the helper table to list all 11 getDefault*() helpers, including getDefaultAllowOnlyScopePublic() which existed but was not documented

internal/cmd/flags_difc_test.go

• Updates TestGetDefaultDIFCSinkServerIDs to call getDefaultDIFCSinkServerIDs() directly (previously tested os.Getenv() directly, not the helper)
• Updates TestGetDefaultGuardPolicyInputs to call all new helpers, using t.Setenv() for cleaner automatic cleanup

Rationale

The getDefault*() pattern exists precisely to make each flag's environment variable override explicit and testable. Flags bypassing this pattern:

1. Are harder to test in isolation
2. Diverge from the codebase's own documented convention
3. Cannot be easily found via code search when looking for all env var defaults

This is a pure refactor — no behavioural changes. envutil.GetEnvString("X", "") is equivalent to os.Getenv("X") for string flags (both return empty string as default), and the helpers for owner, repo, min-integrity, and policy-json all default to "".

Test Status

⚠️ Infrastructure failure: The CI environment for this workflow run does not have Go module dependencies available (network access to proxy.golang.org is blocked), so make agent-finished could not be run. The changes are a pure refactor with no logic changes, and the updated tests exercise the new helper functions directly using t.Setenv() for safe parallelism.

The PR CI should run full tests in the normal build environment.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Note

🔒 Integrity filter blocked 14 items

The following items were blocked because they don't meet the GitHub integrity level.

• #2567 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• #2561 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [go-fan] Go Module Review: stretchr/testify #2568 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [aw] No-Op Runs #2566 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• Smoke Test: Copilot - 23578838399 #2565 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [large-payload-test] Large Payload Test - 23578426153 #2563 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [duplicate-code] Duplicate Code Pattern: SecrecyLabel and IntegrityLabel structural duplication in labels.go #2560 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [duplicate-code] Duplicate Code Pattern: AgentLabels getter methods duplicated for each label type #2559 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [duplicate-code] Duplicate Code Pattern: AgentLabels bulk label operations missing shared helper #2558 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• [duplicate-code] Duplicate Code Analysis Report #2557 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• Smoke Copilot - Issue Group #2554 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• Guards and Integrity: tracking issue #1711 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• search_issues search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".
• #2278 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "merged".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Repo Assist · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

[Copilot]

Pull request overview

Refactors DIFC-related CLI flag default handling to consistently use getDefault*() helpers (envutil-backed), and updates documentation/tests to match the helper pattern described in internal/cmd/flags.go.

Changes:

• Added missing DIFC getDefault*() helpers (sink server IDs, guard policy JSON, allow-only scope owner/repo/min-integrity) and updated DIFC flag registration to use them.
• Expanded the flags.go helper table to document all currently available helpers.
• Updated DIFC flag tests to validate the helpers directly using t.Setenv().

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
internal/cmd/flags_difc.go	Adds new DIFC env-backed default helpers and wires them into flag registration.
internal/cmd/flags.go	Updates the documented table of getDefault*() helpers/env vars to reflect reality.
internal/cmd/flags_difc_test.go	Adjusts tests to exercise the new helpers directly and uses t.Setenv() for env isolation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

defaultAllowOnlyMinIntegrity is defined as an empty string and only used once; this constant doesn’t add meaning and slightly increases indirection. Consider inlining the empty string default, or (if you expect non-empty defaults later) defining defaults consistently for all new DIFC env-backed string flags in this file.

[Copilot]

In TestGetDefaultDIFCSinkServerIDs, the “no env var” case currently sets the env var to an empty string, which makes it behaviorally identical to the “empty env var” case and doesn’t actually exercise the unset path. Consider either removing one of the redundant cases, or explicitly unsetting the variable for the “no env var” case (with a t.Cleanup restore) so the test differentiates unset vs empty if defaults ever change.

Suggested change

	t.Setenv("MCP_GATEWAY_GUARDS_SINK_SERVER_IDS", "")
	// Ensure the env var is truly unset for this test case.
	const envKey = "MCP_GATEWAY_GUARDS_SINK_SERVER_IDS"
	origValue, hadEnv := os.LookupEnv(envKey)
	// Restore previous state after the subtest completes.
	t.Cleanup(func() {
	if hadEnv {
	_ = os.Setenv(envKey, origValue)
	} else {
	_ = os.Unsetenv(envKey)
	}
	})
	_ = os.Unsetenv(envKey)